Not planned Option to disable 2FA globally

[RichardKYA]

I would like to see an option to enable/disable 2FA globally.

While providing better security for members is great, for some sites it could be problematic for different reasons and whatever the reason maybe, I think it should be the site owners choice and not just the members choice.

I would think many sites owners and their staff will want to familiarise themselves with the new feature before giving their members the option to use it because it allow them to offer better assistance/support to their members when the inevitable influx of "I'm locked out of my account..." panic e-mails come flooding in.

While there are other reasons, I believe this reason alone should be why having this as an enable/disable globally option should be added.

 

[rugk]

I don't just mean template edits, and link removals, I mean the whole lot, js files, php files, etc that contain any code relating to 2FA.

Why delete files? Besides this could cause errors you can just edit the templates. I mean if there would be an deactivation option you would also just have deactivated the feature and not removed the files.

But anyway if you want to know...
The files are located in library\XenForo\Tfa. But I can't say what happens if you delete them. (worse things can happen... )
Possibly you could also just modify the database to disable each provider.

 

[BassMan]

I don't recommend deleting files on server. Well, I'm not sure what happens too, but "omg don't do that"

 

[Chris D]

Yeah. Don't.

 

[RichardKYA]

Why delete files?

I don't want to delete files, I just want to remove/comment out the code that triggers anything 2FA related if possible, the idea being that users don't even know of it's existence

Thank you for the nod towards the files

 

[Chris D]

That's really not a good idea...

 

[Jeremy]

You shouldn't remove code, it could very well cause quite a bit of problems.

 

[AndyB]

I don't want to delete files, I just want to remove/comment out the code that triggers anything 2FA related if possible, the idea being that users don't even know of it's existence

Thank you for the nod towards the files

There are only two ways the Two-Step Verification can be triggered:

1) The admin sets it as a requirement in the Admin Control Panel.
2) A member clicks the Two-Step Verification link in either the account_wrapper or navigation_visitor_tab.

I suggest installing the the Remove Two Step Verification v1.1 add-on as that is you need to do to prevent it from being used by members.

Remove Two Step Verification

 

[rafass]

[2FA] It is like having a biometric security system to enter the bathroom.[...]

hahaha

 

[RichardKYA]

There are only two ways the Two-Step Verification can be triggered:

1) The admin sets it as a requirement in the Admin Control Panel.
2) A member clicks the Two-Step Verification link in either the account_wrapper or navigation_visitor_tab.

I suggest installing the the Remove Two Step Verification v1.1 add-on as that is you need to do to prevent it from being used by members.

Remove Two Step Verification

Hi Andy, thank you for the nod towards the add-on, but the links are not the issue, after upgrading to 1.5 I removed the links and redirected the pages that I can find straight away Also, I have not set the requirement permission for any user/user group, but I still encountered this issue here

 

[AndyB]

but I still encountered this issue here

Because this only occurred once to you and has never occurred again, I suggest not making any template edits and install the add-on. If the Two Step Verification occurs again let us know.

 

[RichardKYA]

Because this only occurred once to you and has never occurred again

Its happened once, to 5 separate accounts, since Friday - and these are just the accounts that I'm aware of.

I suggest not making any template edits

I don't use XF default or a purchased style, my style is completely my own, so there's many templates that have been edited already

install the add-on

Thank you anyway, but I'm happy with my template edits

 

[emcvay]

OK, I run a forum of dartplayers. They run the mix from CCNA's to technotards and there is nothing in their accounts aother than login details that anyone would worry about. At the moment 2FA has been a pain for everyone. Gmail and hotmail don't like us (for whatever reason, come on, we're dart players and not selling anything) and my members are struggling with this change. On top of that I'm having to do it often! I'm the bloody admin for crying out loud! I have full access to the database. Anyway, I want to disable this, at least for now, so members can log in without being harassed to get Authy or check their email often (30 days? I wish).

 

[Jake B.]

Gmail and hotmail don't like us (for whatever reason, come on, we're dart players and not selling anything)

gmail not liking you is probably a pretty major problem. Are you on shared hosting? It's possible someone else on the same server as you got your server's IP blacklisted. Probably worth looking into this (or using something like SparkPost or Amazon SES for your outgoing emails)

Anyway, I want to disable this, at least for now, so members can log in without being harassed to get Authy or check their email often (30 days? I wish).

XenForo alone doesn't harass anyone to do anything unless you've specifically set it to require 2fa via a permission. Otherwise it's just an option hidden away in the account settings, or you've got an add-on doing something

 

[Chris D]

OK, I run a forum of dartplayers. They run the mix from CCNA's to technotards and there is nothing in their accounts aother than login details that anyone would worry about. At the moment 2FA has been a pain for everyone. Gmail and hotmail don't like us (for whatever reason, come on, we're dart players and not selling anything) and my members are struggling with this change. On top of that I'm having to do it often! I'm the bloody admin for crying out loud! I have full access to the database. Anyway, I want to disable this, at least for now, so members can log in without being harassed to get Authy or check their email often (30 days? I wish).

Two step verification is not enabled by default. It is available to all users if they wish to enable it, but it isn't forced upon them.

If they are being forced to enable it, then you have enabled the permission which forces them to enable it. You need to make sure the "Require two step verification" permission is only enabled for the users who you require to have this enabled (usually this is just moderator and admin users).

 

[emcvay]

Hmmm....2FA seems to be degfaulted on the site and when I turn it off for myself, for example, it just keeps telling me I have to have it on to see or do anything.

 

[emcvay]

Also, if I login as admin, and then log out and log in as myself I have to go through the whole process again! Yikes!

 

[Jake B.]

Also, if I login as admin, and then log out and log in as myself I have to go through the whole process again! Yikes!

You probably have the "Require 2fa" permission set to yes for admins. I'm guessing you went in and just clicked the green "Yes" button at the top of the user group permissions page to give admins all permissions, which in reality isn't the best idea as it does cause quite a few unexpected issues (especially when you throw add-ons into the mix)

 

[emcvay]

OK I checked 'permissions' (hadn't thought of that one) and see that registered users is defaults to

So I'll check it on moderators and admins and see if removing it makes it change for me -- if it does I'll put it back becuase I think that's a good thing but I want to test it (and this is on the beta site anyway).
Thanks!

 

[emcvay]

Ahhh no

I'll check elsewhere -- maybe I changed my test account manually and didn't realize it

 

[Chris D]

Use the Analyze Permissions function in the Admin CP on an affected user.

If you require support after that, please create a new thread in the appropriate forum.